Chat now with support
Chat mit Support

Security Guardian Current - User Guide

Introducing Quest Security Guardian Audit
Configuring Audit Working with Audit
Using the Audit Dashboard Searching for specific event data (Quick Search) Working with critical activity Working with searches Working with alerts and notification templates Auditing Microsoft Entra Auditing Microsoft 365
Findings Tier Zero Objects Shields Up Protection (Prevention) Privileged Objects Managing Workload Identities Assessments Hybrid Audit Security Settings Appendix - Available Audit Search Columns and Filters Appendix - Security Guardian Indicator Details Appendix - Data Collection Details Documentation Roadmap

Hybrid Audit

Hybrid Audit in Quest On Demand allows you to monitor and analyze activity across both your on-premises and cloud-based Microsoft environments from a single, unified interface. To accomplish this, Hybrid Audit agents are installed in your Active Directory domain to monitor and record activity. You can then search and view the recorded events through On Demand's Audit functionality.

Hybrid Audit requires the following components:

  • A deployed Hybrid Audit agent that has been configured as a broker that connects with your on-premises Active Directory domains. See Working with Hybrid Audit Brokers for more details.

  • Installed Hybrid Audit agent on Domain Controllers and member servers in the appropriate Active Directory domain to record events for actions performed on those computers. See Hybrid Audit Agent Deployment for details on installing an agent.

  • Enabled events within Security Guardian so they can then be searched and viewed with On Demand's Audit functionality. Refer to Audited Events Page Overview for more details.

For more details on installing and using a Hybrid Audit agent with Security Guardian, see:

Overview of the Hybrid Audit Workflow

To set up Hybrid Audit for Active Directory in your organization, follow these steps:

  • Step 1: Add a Domain

    • Navigate to Tenants | Active Directory Domains and add a new domain.

  • Step 2: Add Hybrid Agent

    • Go to Tenants | Hybrid Agents and add a hybrid agent.

  • Step 3: Install Hybrid Agent

    • Install the hybrid agent in the same Active Directory forest as the domain created in Step 1.

  • Step 4: Configure Hybrid Agent

    • Navigate to Tenants | Hybrid Agents and click Edit configuration on the newly installed agent.

    • Under Actions, click Select Actions and add Collect Active Directory object data and Manage Security Guardian Hybrid Audit.

    • Under Connected Domains, click Select Existing and add the domain from Step 1.

    • Click Save.

  • Step 5: Verify Broker Connection

    • Navigate to Security | Hybrid Audit | Brokers.

    • Wait a few minutes for the Hybrid Audit Broker to display and confirm it is connected.

  • Step 6: Wait for Topology Discovery

    • Navigate to Security | Hybrid Audit | Agent Deployment.

    • Wait for the topology to auto-complete and populate the list of non-workstation computers.

  • Step 7: Install Hybrid Audit Agents

    • In Security | Hybrid Audit | Agent Deployment, deploy Hybrid Audit agents to all Domain Controllers and Global Catalog Servers to audit:

      • Active Directory

      • Group Policy events

      • Logon Activity events

    • Deploy Hybrid Audit agents to other computers to audit Logon Activity as needed.

NOTE: Logon Activity Authentication Activity events require native Windows "Audit Logon events" audit policy enabled on servers. See following guide for details: Change Auditor for Logon Activity Events.

  • Step 8: Review Audited Events

    • Navigate to Security | Hybrid Audit | Audited Events.

    • Review the list of events audited in the Active Directory forest.

  • Step 9: View Audited Event Details

    • Navigate to Audit | Searches.

    • Search events using predefined Active Directory, Group Policy, and Logon Activity searches.

    • Use the Hybrid Audit Event Name in the Change Auditor Event Class Name filter to create custom searches to search specific events.

 

Hybrid Audit Agent Deployment

The Agent Deployment page displays all servers in the Active Directory forest that the Hybrid Audit agent is installed in and allows you to manage agent installations across your on-premises environment. From here, you can:

  • View Hybrid Audit agent details.

  • Filter the computer list to find specific entries.

  • Install, upgrade, or uninstall agents on selected computers.

  • Track installation progress.

  • Monitor agent connection status to the Hybrid Audit Broker.

  • Run a topology scan to update your environment data.

  • Export the table view to a CSV file.

To open the Agent Deployment page:

  • Navigate to Hybrid Audit from the left-hand menu and select Agent Deployment.

Table 1: Available Computer Details

Column Details
Computer Name The computer display name.
Domain The domain the computer belongs to.
Computer Type The computer role, such as Global Catalog, Domain Controller, Read-only Domain Controller, or Member.
Agent Status

  • Not Installed – Agent has never been installed.

  • Deploying – Agent is currently being deployed.

  • Installed – Agent was installed but has never connected.

  • Connected – Agent is currently connected.

  • Disconnected – Agent was connected but is now offline.

  • Uninstalled – Agent has been removed.

Agent Version

The version number of the installed agent.

An Info tip on the column header displays the latest available agent version number.

Last Deployment Result The outcome of the most recent deployment attempt.
Connected To The broker to which the computer is connected.

 

NOTE: Click Filter to apply filters by column and value or click a column header to sort or filter directly.

To install or upgrade an agent:

NOTE: You must use an account with local administrator rights on the target computer.

  1. Select the computers you want to install or upgrade the agent on.

  2. Click Install/Upgrade.

  3. Choose one of the following:

  • Run installation as Hybrid Agent service account (default).

  • Enter and validate credentials (used only for this operation; not stored).

Once credentials are validated, the installation or upgrade process will begin.

To uninstall an agent:

  1. Select the computers you want to uninstall the agent from.

  2. Click Uninstall.

  3. Choose one of the following:

    • Run installation as Hybrid Agent service account (default).

    • Enter and validate credentials (used only for this operation; not stored).

  4. Once credentials are validated, the uninstall process will begin.

To initiate a scan of your environment to update topology data:

NOTE: Run a topology scan after adding new servers or domains to ensure the Agent Deployment page reflects the latest environment.

  1. Click Run Topolgy Collection.

  2. Confirm the action to scan and update the list of available servers.

To download the current table view as a CSV file:

  • Click Export to CSV to download the current table view for offline use or reporting.

Hybrid Audit Installation Notes

The following section outlines how to manage Shields Up and Tier Zero Protection in environments with both Hybrid Audit and Change Auditor deployed.

  • Scenario: Hybrid Audit enabled in a single domain forest (for example, forest.com) where Change Auditor is currently installed.

    • Only Change Auditor is installed in the organization.

    • Shields Up or Tier Zero Protection is enabled in Security Guardian.

    • Protection templates are sent to the Change Auditor installation with same domain ID as the Shields Up domain or the Tier Zero object.

    • A Hybrid Audit agent is assigned to forest.com that has Manage Security Guardian Hybrid Audit enabled to designate a Hybrid Audit Broker.

    • Security Guardian detects that Shields Up and Tier Zero objects with domain ID matching forest.com now have a Hybrid Audit Broker assigned.

    • Protection templates for forest.com are no longer sent to Change Auditor coordinators and previously “Protected” Tier Zero objects have their status changed to “Not protected”.

      • Change Auditor agents in forest.com will no longer receive new protection templates.

    • Enabling Shields Up and Tier Zero protection for Tier Zero objects with the domain ID for forest.com will now be sent to the Hybrid Audit Broker.

      • As Hybrid Audit agents are installed, they will get the protection templates from the Hybrid Audit Broker.

  • Scenario: Hybrid Audit enabled in multi-domain forest (for example, domain1.forest.com, domain2.forest.com) where Change Auditor is installed.

    • Only Change Auditor is installed in the organization.

    • Shields Up or Tier Zero Protection is enabled in Security Guardian.

    • Protection templates sent to Change Auditor installation with same domain ID as the Shields Up domain or the Tier Zero object (domain1.forest.com or domain2.forest.com).

    • The Hybrid Audit agent assigned to domain1.forest.com has Manage Security Guardian Hybrid Audit enabled.

    • Security Guardian detects Shields Up domain or Tier Zero object with domain ID for domain1.forest.com now has a Hybrid Audit Broker.

    • Protection templates for domain1.forest.com are no longer sent to Change Auditor coordinators and previously “Protected” Tier Zero objects have a status of “Not protected”.

    • Enabling Shields Up or Tier Zero protection for Tier Zero objects with domain ID matching domain1.forest.com will now be sent to the Hybrid Audit Broker.

      • As Hybrid Audit agents from domain1.forest.com are installed, they will get the protection templates from the Hybrid Audit Broker.

    • Protection templates for domain2.forest.com continue to be sent to Change Auditor.

      • Any Hybrid Audit agents installed in domain2.forest.com will not get protection templates since Security Guardian sees them as being handled by Change Auditor.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen